Security and Deployment Diagrams Quiz

Questions and Answers

What should administrators identify first to ensure security objectives?

• Specific quality-of-service requirements
• Key components of the application
• What data should be protected (correct)
• Communication ports and protocols

Which of the following elements is NOT included in the deployment diagram?

• External dependencies
• Communication ports and protocols
• User roles and permissions (correct)
• End-to-end deployment topology

When determining key usage scenarios, what should administrators rely on?

• Compliance requirements
• Operating systems in use
• Use cases of the application (correct)
• External dependencies

Which aspect is important for identifying technologies used in an application?

Database server software (A)

What best describes the purpose of drawing a deployment diagram?

To explain the workings and structure of the application (C)

Which question helps identify higher-privileged groups of users?

Who can delete data? (A)

Why is it important to know about external dependencies in a deployment scenario?

To focus on technology-specific threats (D)

Which of the following is a key component of identifying security objectives?

Assess intangible assets to protect (A)

Which mechanism primarily ensures that only authorized users can access a system?

Authorization and authentication (A)

What is the significance of identifying trust boundaries in an application?

To know where trust levels change (D)

In the context of application security, what is the purpose of monitoring auditing and logging?

To track user activities and potential security incidents (C)

Which of the following would NOT typically be involved in effective configuration management?

Data flow analysis (D)

What is a key aspect of session management in application security?

Maintaining the state of user interactions (C)

Parameter manipulation is a threat model that primarily affects which aspect of security?

Input validation processes (D)

Which application security mechanism is essential for ensuring the confidentiality of sensitive data?

Cryptography (A)

Why is it important to identify data flows within an application?

To understand communication with external systems (D)

Which of the following is NOT a task involved in patch management?

Designing new applications (D)

What is a key benefit of implementing a Web Application Firewall (WAF)?

Securing existing web applications (B)

Which tool is NOT listed as a patch management tool?

Norton Antivirus (B)

How does a Web Application Firewall (WAF) assist with compliance?

By illustrating compliance with regulatory standards (C)

Which of the following tasks is included in the process of patch management?

Assigning and deploying patches (C)

What is the primary goal of threat modeling in application security?

To identify key vulnerabilities in an application’s design (B)

Which of the following is essential in secure application design?

Adhering to established security standards (C)

Which aspect is NOT typically covered by secure coding practices?

Code performance optimization (B)

What is a key benefit of understanding software security standards?

Ensures compliance with safety regulations (A)

What approach enhances secure application deployment?

Automating deployment processes (C)

Which technique is used for testing application security?

Static code analysis (D)

How does understanding secure application architecture contribute to security?

It helps in identifying security relevant components (B)

What is the main purpose of secure application development automation?

To streamline the development workflow (C)

Which of the following best describes secure application design?

Incorporating security measures from the start (D)

What role does application security testing play in software development?

It helps to identify vulnerabilities before deployment (A)

What is one primary purpose of application whitelisting in cybersecurity?

To block applications not included in a predefined list (A)

How does application whitelisting help mitigate zero-day attacks?

It restricts the execution of applications that could exploit vulnerabilities (B)

What impact does application whitelisting have on computer efficiency?

It increases efficiency by preventing unauthorized applications from running (D)

What benefit does application whitelisting provide regarding bandwidth usage?

It restricts non-essential applications to reclaim bandwidth (C)

Which statement reflects a legal advantage of application whitelisting?

It avoids lawsuits related to the use of licensed applications (A)

In what way does application whitelisting enhance visibility for organizations?

It tracks all applications, running or blocked, on company systems (A)

How does application whitelisting compare to traditional antivirus programs?

It is independent of periodic application updates (A)

What is one way application whitelisting reduces the attack surface?

By blocking unauthorized changes and access to applications (A)

Which of the following settings should be selected to disable Local Group Policy Objects Processing?

Turn Off Local Group Policy Objects Processing (D)

What is the purpose of applying Software Restriction Policies?

To restrict unwanted software execution (C)

What does setting the properties of 'Unrestricted' security level allow?

Permits all software executions without any restrictions (A)

Which application is NOT listed as a tool for application whitelisting and blacklisting?

SHADE Sandbox (B)

Which of the following applications is associated with application sandboxing?

BUFFERZONE (C)

What is the principal purpose of patch management in cybersecurity?

To manage software updates and vulnerabilities (A)

Which of the following statements accurately describes application sandboxing?

It isolates applications to prevent system harm (A)

Which tool allows for advanced application control and monitoring?

Ivanti Application Control (D)

Disabling which of the following settings can help in maintaining a secure environment?

Local Group Policy Objects Processing (D)

Which of the following options should be chosen to apply security limitations to all users?

Enforce Software Restriction Policies (D)

Flashcards

Security Objectives

Questions to determine what data needs protection and whether there are compliance or quality-of-service requirements.

Deployment Scenario

A visual representation of the application's structure, subsystems, and deployment environment (topology).

Deployment Diagram

A diagram depicting the application's end-to-end topology, logical layers, key components, services, communication ports/protocols, identities, and external dependencies using a whiteboard.

Application Roles

Identifying users and their access privileges (read, update, delete data; higher-privileged groups).

Usage Scenarios

Analyzing the application's use and misuse to define its objectives.

App Technologies

Listing the software components (operating systems, web servers, database servers, layers, development languages) to identify potential threats.

Data Protection Questions

Determine data needing protection, compliance requirements, and quality of service.

Identifying application access levels

Determining who can access and modify different resources within an application.

Application Security

Protecting software applications from various threats and vulnerabilities.

Secure Application Design

Designing software applications with security in mind, thinking about how to stop attacks at the start.

Secure Coding Practices

Writing software code with security in mind, that prevents hacking.

Software Security Standards

Rules and guidelines for secure software development, like a set of rules.

Threat Modeling

Identifying potential threats and vulnerabilities in a software application.

Vulnerabilities

Weaknesses in a software application that attackers can exploit.

Application Deployment

The process of releasing and setting up software so it can work.

Application Automation

Using software to control other software, that makes the app work faster.

Security Testing

Finding vulnerabilities in software through testing.

Security Testing Tools

Software used to automatically perform security tests

Input Validation

Checking and sanitizing user inputs to prevent malicious data from affecting application logic or security.

Authorization and Authentication

Processes for verifying user identity and ensuring they have the correct permissions to access specific application resources.

Trust Boundaries

Identifying parts of an application with varying levels of trust. It helps to know where sensitive data and controls are.

Data Flows

Tracking the movement of data through an application from entry points to exit points.

Configuration Management

Systematically managing application configurations, ensuring security settings and software versions are up-to-date and secure.

Sensitive Data

Identifying and protecting information that could be used to compromise the application or its users (e.g., passwords, financial data).

Session Management

Creating and managing user sessions securely and properly to prevent session hijacking or other attacks.

Decomposing an Application

Breaking down an application to identify entry and exit points and trust boundaries, aiding in security vulnerability detection.

What is application whitelisting?

A security technique that restricts the execution of applications to a pre-approved list, blocking any unauthorized software from running.

How does application whitelisting mitigate zero-day attacks?

By restricting the execution of untrusted applications, whitelisting prevents attackers from exploiting new vulnerabilities before a patch is available or antivirus signatures are updated.

What is the impact of application whitelisting on computer efficiency?

By blocking unnecessary and unauthorized applications from running, application whitelisting helps improve computer performance and resource utilization.

How does application whitelisting reduce the attack surface?

By controlling which applications are allowed to run, whitelisting reduces the number of potential attack vectors, making it harder for attackers to exploit vulnerabilities.

How does application whitelisting benefit bandwidth?

By blocking resource-intensive and unauthorized applications, such as streaming services or social media, whitelisting optimizes network bandwidth for essential business activities.

What legal advantages does application whitelisting offer?

Application whitelisting can help organizations avoid potential lawsuits or license fees by preventing the use of unauthorized or illegal software.

How does application whitelisting differ from antivirus?

Unlike antivirus software, which relies on signature updates, application whitelisting does not require constant updates to remain effective.

What is the main benefit of application whitelisting?

Application whitelisting provides strong protection against malware and other threats by restricting the execution of untrusted software, ensuring a secure environment for sensitive data and applications.

What is Application Security?

Protecting software applications from various threats and vulnerabilities. It aims to ensure the confidentiality, integrity, and availability of critical data.

What is Patch Management?

The process of regularly updating software applications with security fixes, bug repairs, and performance enhancements.

Application Whitelisting

A security mechanism that allows only pre-approved applications to run on a system. It prevents unauthorized software from executing.

Application Blacklisting

A security mechanism that blocks specific applications from running on a system. It prevents known malicious or unwanted software.

What is Application Sandboxing?

A security technique that isolates applications in a virtual environment, limiting their access to system resources and preventing potential harm.

Disabling Computer Configuration Settings

Restricting or disabling specific configuration settings on a computer to enhance security. It helps prevent unauthorized changes and potential vulnerabilities.

Software Restriction Policies

Security policies that define which applications are allowed or blocked from running on a system. They help ensure that only authorized software can execute.

Setting Security Levels

Configuring different levels of security for applications based on their sensitivity and risk. It helps protect critical data and applications from unauthorized access.

Application Sandbox Tools

Software tools that create isolated environments for applications to run safely. They help prevent applications from interfering with each other or the system.

Additional Application Whitelisting & Blacklisting Tools

Specialized software that complements traditional whitelisting and blacklisting by providing more granular controls and detailed reporting.

Patch Management

The process of identifying, testing, applying, and managing software patches to fix vulnerabilities and improve security.

Patch Application

The process of installing a patch onto a software system to address security vulnerabilities or update functionalities.

Web Application Firewall (WAF)

A security tool that filters malicious traffic from reaching web applications by analyzing and blocking potentially harmful requests based on predefined rules and patterns.

WAF Benefits

WAFs provide several benefits, including securing existing web applications, minimizing design workload, protecting cookies, preventing attacks like cross-site request forgery, detecting data validation issues, and demonstrating compliance with security standards.

Compliance with Standards

Meeting security regulations and industry standards like PCI, HIPAA, and GDPR, ensuring your application handles sensitive data responsibly.

Study Notes

Certified Cybersecurity Technician (CCT)

• CCT is a certification offered by EC-Council
• It focuses on cybersecurity skills, labs, and exams
• The course is delivered by Emmanuel Ayam
• Includes various social media links for the instructor

Module 9: Application Security

• Application security involves managing and administering application security on networks and computers

• 9.1 What is a Secure Application

  • A secure application ensures confidentiality, integrity, and availability
  • A restricted resource is any object, data, feature or function designed to be accessed by authorized users
  • Authentication is the checking of the veracity of a secret
  • Authorization authorizes the user to use protected resources

•  9.2 Need for Application Security

  • Perimeter controls (firewalls, IDS) are not effective against application layer attacks
  • Ports 80 and 443 are typically open, allowing attackers to exploit application-level vulnerabilities

•  9.3 Application Security Administration

  • Protecting users from harmful applications
  • Preventing applications from creating or modifying executable files
  • Preventing applications from unnecessary resource access
  • Preventing applications from spawning into processes
  • Regularly updating and securely configuring applications

•  9.4 Application Security Frame

  • Includes input validation, authentication, authorization, configuration management, web servers
  • Includes application security frameworks, sensitive data protection, session management, cryptography
  • Includes securing the network (router, firewall, switch, IDS, IPS)
  • Includes securing the host

• 9.5 3W's in Application Security

  • Why: Applications are vulnerable to attacks due to global accessibility
  • Who: Managers, architects, developers, testers, and administrators are responsible for application security
  • What: Security is required at various stages during application development.

•  9.6 Secure Application Design and Architecture

  • Security negligence during design and architecture can lead to expensive problems
  • Security vigilance early on detects potential flaws
  • Secure design is based on earlier SDLC requirements but can be challenging

•  9.7 Goal of Secure Design Process

  • Identifying threats for developers, designing an architecture addressing threats, and enforcing secure design principles

•  9.8 Secure Design Actions

  • Design the application according to security specifications
  • Define secure coding standards for implementational aspects
  • Perform threat modeling to identify threats
  • Design secure application architecture

•  9.9 Security Requirement Specifications

  • Software security requirements are non-functional requirements ensuring confidentiality, integrity and availability
  • Stakeholders often overlook security requirements, leading to vulnerabilities
  • Security requirements should be part of the strategic application development processes

•  9.10 Define Secure Design Principles

  • Security through obscurity, secure the weakest link, use least privilege principle, secure by default, apply defense in depth
  • Do not trust user input, reduce attack surface, enable auditing, keep security simple, and enforce separation of duties

•  9.11 Threat Modeling

  • Identifying, analyzing, and mitigating application threats
  • Structured development process
  • Iterative and performed early during design phase, to expose threats

•  9.12 Threat Modeling Helps To:

  • Identify relevant threats
  • Identify key vulnerabilities
  • Improve security design

•  9.13 Threat Modeling Process

  • To identify security objectives, application overview, decompose the application, identify threats, identify vulnerabilities - Risk and Impact Analysis, Identify threats and vulnerabilities 

•  9.14 Design Secure Application Architecture

  • A typical web application has three tiers (web, application, database)
  • Security at each tier is critical; one vulnerability can affect the entire system
  • Design with a defense in-depth principle (multi-tier security)

•  9.15 Secure Coding Practices: Input Validation

  • Verify user inputs against various criteria
  • Critical to prevent injection attacks on web applications

•  9.16 Secure Coding Practices: Parameterized Queries and Stored Procedures

  • Parameterized queries distinguish between code and data
  • Prevents attackers from manipulating query intent

•  9.17 Secure Coding Practices: Unicode Normalization

  • Unicode normalization ensures strings are equivalent based on chosen form
  • Necessary for web apps to avoid vulnerabilities like XSS

•  9.18 Secure Coding Practices: Output Encoding

  • Converts unsafe characters into equivalent encoded values
  • Prevents XSS attacks.

•  9.19 Secure Coding Practices: Error/Exception Handling

  • Properly handle unusual errors to prevent impacting system integrity/confidentiality/availability

•  9.20 Secure Coding Practices: Secure Session Cookies

  • Cookies store session-specific data
  • Implement mechanisms to create random session IDs
  • Do not store plaintext passwords in cookies
  • Employ cookie timeout and randomization

•  9.21 Secure Coding Practices: Secure Response Headers

  • Security headers improve web application / application security
  • HTTP Strict Transport Security (HSTS): Force usage of HTTPS
  • Content Security Policy (CSP): Protect from XSS, code injection, clickjacking
  • Cache Control: Manage caching mechanisms

•  9.22 Secure Coding Practices: Obfuscation/Camouflage

  • Making code harder to understand by those aiming to breach or reverse engineer
  • Altering the structural aspects or encrypting strings

•  9.23 Secure Coding Practices: Code Signing

  • Digital signatures validate software integrity during installation/execution
  • PKI (Public Key Infrastructure) is used for this verification

•  9.24 Application Security Testing Tools

  • Provides listing of tools to perform automated security testing

•  9.25 Static Application Security Testing (SAST)

  • Involves detailed, systematic source code inspection
  • Performed toward end of code development, when stable

•  9.26 Types of SAST

  • Automated source code analysis, manual source code review

•  9.27 Dynamic Application Security Testing (DAST)

  • Involves simulating attacks on a running application from 'outside' perspective
  • Security professionals or tools like Netsparker, Acunetix, or HCL AppScan are used

•  9.28 Types of DAST

  • Automated and Manual application security scanning

•  9.29 SAST vs. DAST

•  SAST testing involves reviewing the programming code, while DAST testing involves testing the application's behavior by trying things from a user or other systems' perspective

•  9.30 Web Application Fuzz Testing/Fuzzing

  • Quality checking for vulnerabilities by input manipulation
  • Employs random data or fuzzing to perform testing

•  9.31 Steps of Fuzz Testing

•  9.32 Application Whitelisting

  • Allows only approved applications to run, denying all others
  • Protect application assets from threats
  • Improve system visibility/reduce attack surface by limiting what can run

•  9.33 Advantages of Application Whitelisting

  • Prevents Malware attacks
  • Mitigates zero-day attacks
  • Reduce attack surface and improve security
  • Improve computational efficiency

•  9.34 Application Blacklisting

  • Denies access to specified applications
  • Easy to implement
  • Low maintenance

•  9.35 Disadvantages of Application Blacklisting

  • Limited in scope, cannot cover new types of threats
  • Not up-to-date with new attacks

•  9.36 Using AppLocker for Application Whitelisting

  • Windows in-built tool for controlling applications/executables/scripts
  • Allows the control of files/folders/paths

•  9.37 Using ManageEngine Desktop Central for Application Blacklisting

  • Desktop Central is a third-party application to manage and restrict blacklisted applications
  • Users can block executables, settings, and more

•  9.38 Prerequisites and Disabling Local Group Policy

  • Steps to enable/disable local group policy

•  9.39 Setting Security Levels

  • Use to set, define and apply security policies or levels

•  9.40 Prohibit Software Features

  • Management of prohibiting applications
  • Adding, managing and updating software to a prohibited list for managing executable files

•  9.41 Additional Application Whitelisting and Blacklisting Tools

  • List of tools that help perform additional whitelisting/blacklisting tasks

•  9.42 Application Sandboxing

  • Isolates applications in a separate container to protect system from malicious activities
  • Ensures that applications can't access important files/resources

•  9.43 Application Sandboxing Tools

  • List of different sandbox tools

•  9.44 What is Patch Management?

  • Fix known vulnerabilities by installing appropriate patches
  • Steps involved in patch management (Detect, Assess, Acquire, Test, Deploy, Maintain)

•  9.45 What is Patch Management?

  • Choosing, verifying, testing, and applying/updating patches
  • Listing, recording, and deploying patches

•  9.46 Patch Management Tools

  • List of tools to support patch management tasks

•  9.47 Web Application Firewall (WAF)

  • Secures web server from malicious traffic
  • Places a filter/proxy in front of web application to analyze traffic

•  9.48 Benefits of Web Application Firewall (WAF)

  • Secures existing and productive web applications
  • Minimizes workload for developers
  • Provides cookie security with encryption
  • Prevents cross-site request forgery

•  9.49 Configuring URLScan to Setup as WAF For IIS Server

  • Using Microsoft URLScan tool
  • Configuring URLScan criteria

•  9.50 Web Application Firewalls (WAFS) Solutions

  • List of different WAF solutions available

•  9.51 Bug Bounty Programs

  • Challenge programs to find vulnerabilities
  • Rewards given for reporting security flaws

•  9.52 Web Application Security Scanners

  • Tools for identifying web application vulnerabilities

•  9.53 Proxy-Based Security Testing Tools

  • Tools for security testing of applications that uses proxy-based testing of web application security tests

•  9.54 Web Server Footprinting Tools

  • Tools for footprinting web servers to identify vulnerabilities

• 9.55 Module Summary

  • Module's core concepts
  • Software security and secure coding
  • Secure application development process
  • Tools to improve application security

General Note

• Various URLs are provided for specific tools and resources.

Description

This quiz focuses on key concepts in security management and deployment diagrams. Participants will explore essential elements that administrators need to identify for effective application security and deployment. It covers scenarios, technologies, and external dependencies integral to the deployment process.